Sluggish corporates ill-prepared for death of Win XP SP2 support

Expect attackable vulns to accumulate, warn security watchers

Common Topics

Analysis It's been months coming but many organisations are ill-prepared for the end of security support for Windows XP SP2, potentially leaving a huge population of vulnerable machines for hackers to exploit.

July's Patch Tuesday marked the closure of patching support for both Win 2000 and Windows XP Service Pack 2. From now on there'll be no security updates, hotfixes and other updates for Windows XP Service Pack 2 - regardless of how serious a threat any newly discovered vulnerability may pose to users stuck on the OS.

And it's not only the base OS that won't get patched. Internet Explorer, Windows Media Player, Outlook Express and other Windows XP SP2 components have also seen their last patches, net security firm Sophos points out.

However, support for Windows Embedded XP SP2, an OS build frequently used in ATMs and point of sale terminals will extend until Jan 2011, so users of embedded systems have a few months to prepare for change. That's just as well since the management of these systems is often handled by third party suppliers, further complicating the process of rolling out changes.

Microsoft advises all XP SP2 users to upgrade to either XP SP3 or (preferably, from Redmond's perspective at least) Windows 7. Win XP SP3 was released in April 2008 and will be supported until April 2014.

Microsoft named the precise date for the end of support for Win XP SP2, which debuted in August 2004, back in April.

Upgrading to Windows 7 may not be an option for sys admins supporting older PCs. Moving to XP SP3 is simpler but still poses application capability problems that means many corporates have been slow to move on, especially in the previous absence of any compelling reason to upgrade.

Win XP SP2 turned on the built-in firewall within Windows and proved a useful Defence against Blaster-style network worms prevalent at the time. No similarly compelling argument existed for an upgrade from XP SP2 to SP3.

"I believe the level of awareness for the upcoming change was not high enough," said Wolfgang Kandek, CTO at security risk and compliance management firm Qualys. "Unlike the SP1 to SP2 switch, there was no significant functionality added to SP3 that made the move enticing. Existing users are still very satisfied with the SP2 iteration of Windows XP."

"In the future, however, Windows XP SP2 users will not receive updates anymore and their systems will start to accumulate attackable vulnerabilities. Although we don’t have any insight into attackers’ preparations, I am expecting attackers to take advantage of the large pool of SP2 machines as soon as a suitable vulnerability appears."

Statistics from Qualys out last month estimate that around 50 per cent of Windows XP machines are still running SP2 level, while another recent survey by IT assessment services firm Softcheck found 77 per cent of organisations were still dependent on on SP2.

Computerworld runs through possible mitigation tactics for users who need to stick with Win XP SP2 for the time been, chief among which are dropping IE and continuing to patch third party apps. It also suggests sys admins should read Redmond's security vulns for clues on how to mitigate against further vulns in the absence of any patches, a process that sounds like a right old pain.

Dave Marcus, research and communications director for McAfee Labs, said enterprises needed to have a strategy in place to manage migration to supported versions of Windows.

"Many enterprises and consumer users still deploy and depend heavily on applications that run on this Windows build," said Marcus. "It is unclear how much risk and expense the end of support will cause users worldwide but we expect cybercriminals to capitalize on this opportunity."